Skillv1.0.0

ClawScan security

Card Value · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 1:24 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested access and instructions are proportionate to its stated purpose (estimating a card's first-year value); it is an instruction-only skill that does not require credentials or install-time actions.
Guidance: This skill appears coherent and low-risk: it only fetches public web pages to estimate a card's first-year value and does not request secrets by default. If you install it, consider these points: (1) only provide a BRAVE_API_KEY if you trust the skill/owner — the key would let the skill call Brave Search directly; (2) the skill performs web requests (WebFetch/WebSearch), so search queries will go over the network — avoid entering any personal financial credentials into the conversation; (3) the skill prefers a handful of secondary sources (NerdWallet, TPG, Bankrate, etc.) and disallows forums/social media, which limits noisy sources; and (4) because the skill is instruction-only and the owner is unknown, review sample queries/responses the first few times to ensure results and citations meet your expectations before relying on the estimates.

Purpose & Capability: okName/description (first-year card value estimate) aligns with the runtime instructions: the SKILL.md describes resolving card variants, searching issuer pages and a small set of secondary sources, scraping fee/bonus/earn/credits, and computing a value. No unrelated credentials, binaries, or installs are required. Optional use of a search API (BRAVE_API_KEY) and curl is reasonable for repeatable searches.
Instruction Scope: okRuntime steps stay within the described scope: use WebSearch/WebFetch and (optionally) Brave Search via curl to gather public card data, then compute value from explicitly listed fields. The instructions do not ask the agent to read arbitrary local files, system credentials, or transmit user data to unexpected endpoints. It does permit network calls (WebFetch/WebSearch/Brave); that is expected for a web-research skill.
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing will be written to disk. Low-risk install posture.
Credentials: okNo required environment variables or credentials. BRAVE_API_KEY and curl are declared as optional; their use is documented and limited to querying Brave Search if the user supplies the key. There are no surprising or excessive secret requests.
Persistence & Privilege: okalways is false and the skill is not requesting elevated or persistent system privileges. It does not instruct modification of other skills or global agent settings.